suricata
detect-ttl.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersighdahiya@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Implements the ttl keyword including prefilter support.
25  */
26 
27 #include "suricata-common.h"
28 #include "stream-tcp.h"
29 
30 #include "detect.h"
31 #include "detect-parse.h"
33 #include "detect-engine-uint.h"
34 
35 #include "detect-ttl.h"
36 #include "util-debug.h"
37 #include "util-byte.h"
38 
39 /* prototypes */
40 static int DetectTtlMatch (DetectEngineThreadCtx *, Packet *,
41  const Signature *, const SigMatchCtx *);
42 static int DetectTtlSetup (DetectEngineCtx *, Signature *, const char *);
43 void DetectTtlFree (DetectEngineCtx *, void *);
44 #ifdef UNITTESTS
45 void DetectTtlRegisterTests (void);
46 #endif
47 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh);
48 static bool PrefilterTtlIsPrefilterable(const Signature *s);
49 
50 /**
51  * \brief Registration function for ttl: keyword
52  */
53 
55 {
57  sigmatch_table[DETECT_TTL].desc = "check for a specific IP time-to-live value";
58  sigmatch_table[DETECT_TTL].url = "/rules/header-keywords.html#ttl";
59  sigmatch_table[DETECT_TTL].Match = DetectTtlMatch;
60  sigmatch_table[DETECT_TTL].Setup = DetectTtlSetup;
62 #ifdef UNITTESTS
64 #endif
65  sigmatch_table[DETECT_TTL].SupportsPrefilter = PrefilterTtlIsPrefilterable;
66  sigmatch_table[DETECT_TTL].SetupPrefilter = PrefilterSetupTtl;
67 
68  return;
69 }
70 
71 /**
72  * \brief This function is used to match TTL rule option on a packet with
73  * those passed via ttl
74  *
75  * \param t pointer to thread vars
76  * \param det_ctx pointer to the pattern matcher thread
77  * \param p pointer to the current packet
78  * \param m pointer to the sigmatch that we will cast into DetectU8Data
79  *
80  * \retval 0 no match
81  * \retval 1 match
82  */
83 static int DetectTtlMatch (DetectEngineThreadCtx *det_ctx, Packet *p,
84  const Signature *s, const SigMatchCtx *ctx)
85 {
86  if (PKT_IS_PSEUDOPKT(p))
87  return 0;
88 
89  uint8_t pttl;
90  if (PKT_IS_IPV4(p)) {
91  pttl = IPV4_GET_IPTTL(p);
92  } else if (PKT_IS_IPV6(p)) {
93  pttl = IPV6_GET_HLIM(p);
94  } else {
95  SCLogDebug("Packet is not IPv4 or IPv6");
96  return 0;
97  }
98 
99  const DetectU8Data *ttld = (const DetectU8Data *)ctx;
100  return DetectU8Match(pttl, ttld);
101 }
102 
103 /**
104  * \brief this function is used to attld the parsed ttl data into the current signature
105  *
106  * \param de_ctx pointer to the Detection Engine Context
107  * \param s pointer to the Current Signature
108  * \param ttlstr pointer to the user provided ttl options
109  *
110  * \retval 0 on Success
111  * \retval -1 on Failure
112  */
113 static int DetectTtlSetup (DetectEngineCtx *de_ctx, Signature *s, const char *ttlstr)
114 {
115  DetectU8Data *ttld = DetectU8Parse(ttlstr);
116  if (ttld == NULL)
117  return -1;
118 
120  NULL) {
121  DetectTtlFree(de_ctx, ttld);
122  return -1;
123  }
125  return 0;
126 }
127 
128 /**
129  * \brief this function will free memory associated with DetectU8Data
130  *
131  * \param ptr pointer to DetectU8Data
132  */
134 {
135  rs_detect_u8_free(ptr);
136 }
137 
138 /* prefilter code */
139 
140 static void
141 PrefilterPacketTtlMatch(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx)
142 {
143  if (PKT_IS_PSEUDOPKT(p)) {
144  SCReturn;
145  }
146 
147  uint8_t pttl;
148  if (PKT_IS_IPV4(p)) {
149  pttl = IPV4_GET_IPTTL(p);
150  } else if (PKT_IS_IPV6(p)) {
151  pttl = IPV6_GET_HLIM(p);
152  } else {
153  SCLogDebug("Packet is not IPv4 or IPv6");
154  return;
155  }
156 
157  const PrefilterPacketHeaderCtx *ctx = pectx;
158  if (!PrefilterPacketHeaderExtraMatch(ctx, p))
159  return;
160 
161  DetectU8Data du8;
162  du8.mode = ctx->v1.u8[0];
163  du8.arg1 = ctx->v1.u8[1];
164  du8.arg2 = ctx->v1.u8[2];
165  if (DetectU8Match(pttl, &du8)) {
166  SCLogDebug("packet matches ttl/hl %u", pttl);
167  PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt);
168  }
169 }
170 
171 static int PrefilterSetupTtl(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
172 {
174  PrefilterPacketU8Compare, PrefilterPacketTtlMatch);
175 }
176 
177 static bool PrefilterTtlIsPrefilterable(const Signature *s)
178 {
179  const SigMatch *sm;
180  for (sm = s->init_data->smlists[DETECT_SM_LIST_MATCH] ; sm != NULL; sm = sm->next) {
181  switch (sm->type) {
182  case DETECT_TTL:
183  return true;
184  }
185  }
186  return false;
187 }
188 
189 #ifdef UNITTESTS
190 #include "tests/detect-ttl.c"
191 #endif
util-byte.h
detect-engine-uint.h
SigTableElmt_::url
const char * url
Definition: detect.h:1296
DETECT_TTL
@ DETECT_TTL
Definition: detect-engine-register.h:45
SignatureInitData_::smlists
struct SigMatch_ * smlists[DETECT_SM_LIST_MAX]
Definition: detect.h:578
SigTableElmt_::desc
const char * desc
Definition: detect.h:1295
SigTableElmt_::Free
void(* Free)(DetectEngineCtx *, void *)
Definition: detect.h:1283
SigTableElmt_::name
const char * name
Definition: detect.h:1293
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1075
PKT_IS_IPV6
#define PKT_IS_IPV6(p)
Definition: decode.h:247
stream-tcp.h
SigGroupHead_
Container for matching data for a signature group.
Definition: detect.h:1445
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
DetectEngineThreadCtx_::pmq
PrefilterRuleStore pmq
Definition: detect.h:1201
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:836
PrefilterPacketHeaderCtx_::sigs_array
SigIntId * sigs_array
Definition: detect-engine-prefilter-common.h:43
PrefilterPacketHeaderValue::u8
uint8_t u8[16]
Definition: detect-engine-prefilter-common.h:24
PrefilterPacketHeaderCtx_::sigs_cnt
uint32_t sigs_cnt
Definition: detect-engine-prefilter-common.h:42
SigTableElmt_::Setup
int(* Setup)(DetectEngineCtx *, Signature *, const char *)
Definition: detect.h:1278
SigTableElmt_::SetupPrefilter
int(* SetupPrefilter)(DetectEngineCtx *de_ctx, struct SigGroupHead_ *sgh)
Definition: detect.h:1281
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:85
PrefilterPacketHeaderCtx_
Definition: detect-engine-prefilter-common.h:35
util-debug.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1092
detect.h
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:351
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:111
PrefilterPacketU8Set
void PrefilterPacketU8Set(PrefilterPacketHeaderValue *v, void *smctx)
Definition: detect-engine-uint.c:90
SCReturn
#define SCReturn
Definition: util-debug.h:273
Signature_::flags
uint32_t flags
Definition: detect.h:594
Packet_
Definition: decode.h:437
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:662
SigTableElmt_::Match
int(* Match)(DetectEngineThreadCtx *, Packet *, const Signature *, const SigMatchCtx *)
Definition: detect.h:1261
detect-ttl.c
detect-ttl.h
PrefilterPacketHeaderCtx_::v1
PrefilterPacketHeaderValue v1
Definition: detect-engine-prefilter-common.h:36
SigMatchCtx_
Used to start a pointer to SigMatch context Should never be dereferenced without casting to something...
Definition: detect.h:342
DetectTtlRegisterTests
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition: detect-ttl.c:212
DetectU8Match
int DetectU8Match(const uint8_t parg, const DetectUintData_u8 *du8)
Definition: detect-engine-uint.c:71
suricata-common.h
SigMatch_::type
uint16_t type
Definition: detect.h:348
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:127
PrefilterSetupPacketHeader
int PrefilterSetupPacketHeader(DetectEngineCtx *de_ctx, SigGroupHead *sgh, int sm_type, void(*Set)(PrefilterPacketHeaderValue *v, void *), bool(*Compare)(PrefilterPacketHeaderValue v, void *), void(*Match)(DetectEngineThreadCtx *det_ctx, Packet *p, const void *pectx))
Definition: detect-engine-prefilter-common.c:417
SigTableElmt_::SupportsPrefilter
bool(* SupportsPrefilter)(const Signature *s)
Definition: detect.h:1280
DetectTtlFree
void DetectTtlFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
Definition: detect-ttl.c:133
detect-parse.h
Signature_
Signature container.
Definition: detect.h:593
SigMatch_
a single match condition for a signature
Definition: detect.h:347
IPV6_GET_HLIM
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
PrefilterPacketU8Compare
bool PrefilterPacketU8Compare(PrefilterPacketHeaderValue v, void *smctx)
Definition: detect-engine-uint.c:98
SigMatchAppendSMToList
SigMatch * SigMatchAppendSMToList(DetectEngineCtx *de_ctx, Signature *s, uint16_t type, SigMatchCtx *ctx, const int list)
Append a SigMatch to the list type.
Definition: detect-parse.c:447
detect-engine-prefilter-common.h
PKT_IS_IPV4
#define PKT_IS_IPV4(p)
Definition: decode.h:246
DetectTtlRegister
void DetectTtlRegister(void)
Registration function for ttl: keyword.
Definition: detect-ttl.c:54
IPV4_GET_IPTTL
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146
SigTableElmt_::RegisterTests
void(* RegisterTests)(void)
Definition: detect.h:1285
SIG_FLAG_REQUIRE_PACKET
#define SIG_FLAG_REQUIRE_PACKET
Definition: detect.h:246